[Dovecot] GSSAPI and virtual Users?

Jelmer Vernooij jelmer at samba.org
Sat Mar 25 15:40:06 EET 2006


On Sat, Mar 25, 2006 at 12:24:48PM +0200, Timo Sirainen wrote:
> On Wed, 2006-03-15 at 16:32 +0100, Jelmer Vernooij wrote:
> > On Wed, Mar 15, 2006 at 04:23:05PM +0100, S. Thias wrote:
> > > is there a possibility to map login-names to allowed
> > > Kerberos-Principals? At the moment GSSAPI-authentication seems to work
> > > only if loginname and kerberos-principal are the same, or am I missing
> > > something?
> > I'm afraid that at the moment, that's not (yet) possible. 
> I added now a pass=yes option to passdbs. This allows doing the
> conversion using eg.:

> passdb passwd-file {
>   args = /etc/imap.users
>   pass = yes
> }

> Where the imap.users file would contain entries like:

> imapuser:::::::user=realuser

> Or it could be done with SQL, LDAP or whatever.

> Now if only the GSSAPI code could somehow be told to do these passdb
> lookups. :) Maybe it should do it always for pass=yes passdbs? I'm not
> really sure..
That shouldn't be too hard to implement I guess (at the moment 
we simply require that the kerberos principal matches the username).
What functions do I need to call to look up the mapping?

Cheers,

Jelmer
-- 
Jelmer Vernooij <jelmer at samba.org> - http://jelmer.vernstok.nl/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: Digital signature
Url : http://dovecot.org/pipermail/dovecot/attachments/20060325/4710bcf2/attachment.pgp


More information about the dovecot mailing list